Stubby-Installer-Asuswrt-Merlin

[#TY]

I would like to prevent kids from accessing

• Adult = Malicious + Sexual content (normally set from the DNSFilter CleanBrowsing Setting)

However, this setting is currently off as I properly installed and configured Stubby today and I don't want to risk messing things up.

Is there a reliable way to still use Stubby but configure the kids devices to be safe at the same time?

 

[dave14305]

I would like to prevent kids from accessing

• Adult = Malicious + Sexual content (normally set from the DNSFilter CleanBrowsing Setting)

However, this setting is currently off as I properly installed and configured Stubby today and I don't want to risk messing things up.

Is there a reliable way to still use Stubby but configure the kids devices to be safe at the same time?

You could reconfigure stubby.yml to use Cleanbrowsing, but it might not be as reliable as Cloudflare.

https://cleanbrowsing.org/guides/dnsovertls

 

[bbunge]

I would like to prevent kids from accessing

• Adult = Malicious + Sexual content (normally set from the DNSFilter CleanBrowsing Setting)

However, this setting is currently off as I properly installed and configured Stubby today and I don't want to risk messing things up.

Is there a reliable way to still use Stubby but configure the kids devices to be safe at the same time?

You can set stubby to use CleanBrowsing Adult resolvers:

# # Cleanbrowsing-Adult
  - address_data: 185.228.168.10
    tls_auth_name: "adult-filter-dns.cleanbrowsing.org"

  - address_data: 185.228.169.11
    tls_auth_name: "adult-filter-dns.cleanbrowsing.org"

  - address_data: 2a0d:2a00:1::1
    tls_auth_name: "adult-filter-dns.cleanbrowsing.org"

  - address_data: 2a0d:2a00:2::1
    tls_auth_name: "adult-filter-dns.cleanbrowsing.org"

Of course this will apply to all the devices on your network.

Edit: You can try to do MAC Address assignment for the kids devices. They can just change the MAC address. Or they could use the 1.1.1.1 iOS or Android app and bypass your efforts. Or you could use a hammer and destroy their devices and give them a book... Seriously, education, supervision and trust goes a long way. There are plenty of ways to try to protect kids which can be by-passed. I have done network admin for churches and faith based not-for-profits for years and the kids have, in time, figured a way to get to where they want to go.

 

[Xentrk]

Doesn't that mean that Firefox will use the DNS server configured in Firefox, instead of the system configured DNS?

(i.e., bypassing Stubby?)

I recall a detailed post stating that was the case. It is buried somewhere in this thread.

 

[Xentrk]

@Marin

kdig looks like a very powerful DNS utility.

The drill utility is very similar and available on entware. The name drill is a pun on dig. With drill you should be able get even more information than with dig. Not sure how kdig differs though.

Following is a code snip from a program I wrote that gets all the IPv4 address for a domain name:

drill -4 $DOMAIN | grep -v SERVER | grep -E "([0-9]{1,3}[\\.]){3}[0-9]{1,3}" | cut -f 5

If the site supports DNSSEC, you will see an "ad" flag in the response.

drill -D x3mtek.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 7760
;; flags: qr rd ra ad ; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
<snip>

 

[skeal]

@Marin

kdig looks like a very powerful DNS utility.

The drill utility is very similar and available on entware. The name drill is a pun on dig. With drill you should be able get even more information than with dig. Not sure how kdig differs though.

Following is a code snip from a program I wrote that gets all the IPv4 address for a domain name:

drill -4 $DOMAIN | grep -v SERVER | grep -E "([0-9]{1,3}[\\.]){3}[0-9]{1,3}" | cut -f 5

If the site supports DNSSEC, you will see an "ad" flag in the response.

drill -D x3mtek.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 7760
;; flags: qr rd ra ad ; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
<snip>

drill works really nice but as far as I can tell lacks TLS query

 

[Marin]

@Marin

kdig looks like a very powerful DNS utility.

The drill utility is very similar and available on entware. The name drill is a pun on dig. With drill you should be able get even more information than with dig. Not sure how kdig differs though.

Following is a code snip from a program I wrote that gets all the IPv4 address for a domain name:

drill -4 $DOMAIN | grep -v SERVER | grep -E "([0-9]{1,3}[\\.]){3}[0-9]{1,3}" | cut -f 5

If the site supports DNSSEC, you will see an "ad" flag in the response.

drill -D x3mtek.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 7760
;; flags: qr rd ra ad ; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
<snip>

Thank you @Xentrk! I have not experimented with kdig much but I do like drill. Was able to download it from your Github site when I was following Stubby’s validation steps. I also use the ISC Dig app in my phone and it does help to show sites that validate DNSSEC.


Sent from my iPhone using Tapatalk

 

[Marin]

drill works really nice but as far as I can tell lacks TLS query

Thank you @skeal! I need to do some more “kdigging” to see if there are any other commands I can use it with. I have been using the commands you included in your recent posts as so far I do like the information I get.


Sent from my iPhone using Tapatalk

 

[Marin]

Thank you @skeal! I need to do some more “kdigging” to see if there are any other commands I can use it with. I have been using the commands you included in your recent posts as so far I do like the information I get.


Sent from my iPhone using Tapatalk

I will start with these and see what I get:

 Examples
1.
Get A records for example.com:
$ kdig example.com A
2.
Perform AXFR for zone example.com from the server 192.0.2.1:
$ kdig example.com -t AXFR @192.0.2.1
3.
Get A records for example.com from 192.0.2.1 and reverse lookup for address 2001:DB8::1 from 192.0.2.2. Both using the TCP protocol:
$ kdig +tcp example.com -t A @192.0.2.1 -x 2001:DB8::1 @192.0.2.2
4.
Get SOA record for example.com, use TLS, use system certificates, check for specified hostname, check for certificate pin, and print additional debug info:
$ kdig -d @185.49.141.38 +tls-ca +tls-host=getdnsapi.net \
  +tls-pin=foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S= soa example.com

Sent from my iPhone using Tapatalk

 

[#TY]

Anyone notice connectivity issues with Apple Mail connecting to an iCloud account since using Stubby? I've been having all sorts since. Not sure if its related but its the only thing that has changed. Are there any compatibility issues between Cloudflare and Apple iCloud servers?

 

[bluzfanmr1]

Anyone notice connectivity issues with Apple Mail connecting to an iCloud account since using Stubby? I've been having all sorts since. Not sure if its related but its the only thing that has changed. Are there any compatibility issues between Cloudflare and Apple iCloud servers?

I use Apple Mail/iCloud/Cloudflare and have had no issues with Stubby.

 

[vesalius]

I use Apple Mail/iCloud/Cloudflare and have had no issues with Stubby.

Same here

 

[Seamaster]

I use Apple Mail/iCloud/Cloudflare and have had no issues with Stubby.

Same here.

 

[Xentrk]

Anyone notice connectivity issues with Apple Mail connecting to an iCloud account since using Stubby? I've been having all sorts since. Not sure if its related but its the only thing that has changed. Are there any compatibility issues between Cloudflare and Apple iCloud servers?

iCloud appears in some hosts blocking files. If you use Diversion, select the follow the log file option to see if that may be the issue.

 

[#TY]

I installed Diversion and I see the follow log file option. I'm not sure where I should or rather what I should be looking for. Thanks for clarifying.

 

[Xentrk]

I installed Diversion and I see the follow log file option. I'm not sure where I should or rather what I should be looking for. Thanks for clarifying.

Blocked domains appear in red text.

Since you did not have Diversion installed before experiencing the issue, it cant be the root cause.

What router and firmware version do you have installed? Try changing to Quad9 or google to see if you still have the issue.

Edit stubby.yml to use Quad9 and restart stubby. Instructions are on the github README.md.

 

[#TY]

Ok. Things with iCloud seem to have resolved themselves. Turns out my ISP's modem was having issues and when I restarted it, everything seems to have fallen back in place, including my reliable VPN connection.

This brings me to my next question and I'm fairly certain what I'm seeing is normal but I want to be 100% sure.

On my VPN providers test page, it shows that I am properly connected to their VPN, but their DNS leak test claim that my DNS is leaking. Am I correct in assuming they're saying that because Im not using their DNS Servers but rather Cloudflare's (what Stubby defaults to)? Reference: attached screenshot.

In my VPN client settings: Accept DNS Configuration is set to Disabled.
I've also disabled DNS Filtering on the router.
On the WAN side: Connect to DNS Server automatically is set to No and DNS Server one point to my ASUS router's IP.

Thanks again.

 

[#TY]

Is CPU usage after Stubby and Diversion is installed supposed to be high? Reference: attached screenshot.

Asus RT-AC5300 running Merlin 384.10

 

[Xentrk]

Ok. Things with iCloud seem to have resolved themselves. Turns out my ISP's modem was having issues and when I restarted it, everything seems to have fallen back in place, including my reliable VPN connection.

This brings me to my next question and I'm fairly certain what I'm seeing is normal but I want to be 100% sure.

On my VPN providers test page, it shows that I am properly connected to their VPN, but their DNS leak test claim that my DNS is leaking. Am I correct in assuming they're saying that because Im not using their DNS Servers but rather Cloudflare's (what Stubby defaults to)? Reference: attached screenshot.

In my VPN client settings: Accept DNS Configuration is set to Disabled.
I've also disabled DNS Filtering on the router.
On the WAN side: Connect to DNS Server automatically is set to No and DNS Server one point to my ASUS router's IP.

Thanks again.

Regarding the DNS Leak test results. Yes, because you are not using the VPN of the provider, most test sites will give a warning that "you may be" or "are" leaking your DNS request. There are several definitions floating around the net of what a DNS leak is. For me, the purist definition of a DNS leak is when DNS requests are being routed to your ISP rather than the VPN provider. But since you defined your router to use Cloudflare, DNS request are going where you told them to. With DoT using Stubby, the DNS requests are encrypted so your ISP can't snoop on you. So, no need to worry. In fact, using Cloudflare may be result in faster queries when compared to using DNS of the VPN provider.

The settings you list are correct except for the DNS Filter setting. That was a recent change in the installer script. There is a prompt/question in the installer script asking if you want to force all LAN clients to use Stubby. If you select the option, the DNS Filter setting made by the installer will force all LAN clients to use Stubby DoT. For example, if you have DNS configured in a Windows 10 device, it will override the DNS specified on the router. The DNS Filter setting forces all LAN clients to use Stubby. @skeal has a picture of the DNS Filter screen in this post.

 

[Xentrk]

Is CPU usage after Stubby and Diversion is installed supposed to be high? Reference: attached screenshot.

Asus RT-AC5300 running Merlin 384.10

Diversion and Stubby will not cause increase load on the router. There may me a spike during the initial start-up of the router when services are getting launched.

Logon to an SSH session

Find out what uses the memory:

For an overview, use

cat /proc/meminfo

Run the command "htop" to see what is using memory. You will have to first install htop from entware.

opkg install htop

Also, install AMTM and add swap space to the storage device to improve performance.
https://diversion.ch/amtm.html